Kelp (KernelDAO) Web3 Audit — What’s Secure, What’s At Risk, What To Do Now
Executive Summary
- Systemic cross-chain risk materialized: An rsETH bridge incident on April 18, 2026, triggered market-wide freezes and bad-debt scenarios across DeFi integrations, including Aave [1] [2].
- Strong TVL positioning: Kelp claims ~$1.65–$1.7B in TVL, with DefiLlama reporting up to $2B, making it a dominant liquid restaking protocol [3] [4].
- Centralization and Audit Risks: A March 2024 MixBytes audit highlighted significant centralization risks, including a 3/5 Admin multisig and a 2/4 Manager multisig with extensive powers. Several medium and low-severity issues remain acknowledged rather than fixed [5].
- Tokenomics breach conservative thresholds: The $KERNEL governance token allocates 20% to the team and 20% to private sale investors, both exceeding the 10% conservative threshold [6].
1. General Description
Kelp DAO is a decentralized liquid restaking protocol built on top of EigenLayer [7]. It solves the problem of capital inefficiency in restaking by allowing users to restake their Ethereum (ETH) and other assets while maintaining liquidity through its receipt token, rsETH [4] [8].
The primary audience includes DeFi users and ETH holders looking to earn restaking yields without locking up their capital. The main products in the KernelDAO ecosystem include:
- Kelp LRT (rsETH): The liquid restaking token [9].
- Kernel: Shared security infrastructure on BNB Chain [9].
- Gain: Automated yield vaults [9].
2. Team
The founders and key contributors are known and have verifiable professional backgrounds.
- Amitej Gajjala: Co-founder at KernelDAO and previously part of the core team at Stader Labs [10] [11].
- Dheeraj Borra: Co-founder at KernelDAO, also associated with Stader Labs [12] [11].
The project operates under KernelDAO. However, governance is currently highly centralized. The protocol relies on a 2/4 multisig for the Manager role and a 3/5 multisig for the Admin role, with overlapping ownership [5]. While a transition to a DAO structure with timelocks was recommended by auditors, the team noted that it was "too early" to discuss the end state of governance as they did not yet have a governance token at the time of the audit [5].
3. Traction / Fundamentals
- TVL: Approximately $1.7B to $2B, making it the second-largest liquid restaking token (LRT) protocol [9] [3] [4].
- Users: The platform claims "300K+ users" and "400,000+ unique restakers," though these are marketing figures and usage quality remains unverified [9] [4].
- Revenue / Earnings: DefiLlama tracks fees and revenue for Kelp, with one report citing $3.0 million in annualized revenue as of March 2026 [13] [3]. However, specific fee schedules and protocol take-rates are not explicitly detailed in the provided documentation. Revenue unverified from primary on-chain dashboards in this context.
- Trend: Growth in TVL, but recent liveness and usage trends are unclear following the April 2026 exploit.
- Usage Quality: Unverified.
- Where the product is used: rsETH is integrated across 40+ DeFi platforms and is live on 10+ chains [3] [4].
4. Concept / Documentation
The core concept is liquid restaking via EigenLayer. Users deposit ETH or supported LSTs, which are then delegated to node operators on EigenLayer to secure various Actively Validated Services (AVSs). In return, users receive rsETH, which accrues restaking rewards and can be used in DeFi [7] [5].
The product differentiates itself through its multi-chain expansion (live on 10+ chains) and deep liquidity integrations ($300M+ across lending protocols) [4]. However, this multi-chain architecture introduces significant bridge and wrapper dependencies.
5. Coin / Tokenomics
The ecosystem utilizes the $KERNEL token as a unified governance token across Kelp, Kernel, and Gain [6].
$KERNEL Token Allocation
| Category | Allocation | Audit Threshold | Status |
|---|---|---|---|
| Community Rewards & Airdrops | 55% | N/A | Pass |
| Team & Advisors | 20% | Max 10% | Fail |
| Private Sale (Investors) | 20% | Max 10% | Fail |
| Ecosystem & Partners | 5% | N/A | Pass |
Takeaway: Both the team and investor allocations significantly exceed the strict 10% threshold, presenting an elevated sell-pressure risk. Tokens are vested over 24 months after a 6-month lock-up post-TGE (targeted Q1 2025) [6].
Token valuation unverified: Market cap, FDV, and circulating supply data are not available in the provided context.
6. Code
The core code is open-source and available on GitHub (e.g., Kelp-DAO/LRT-rsETH) [7].
Audit Status
The protocol was audited by MixBytes in March 2024 [5].
| Severity | Count | Fixed | Acknowledged |
|---|---|---|---|
| Critical | 0 | 0 | 0 |
| High | 4 | 3 | 1 |
| Medium | 10 | 2 | 8 |
| Low | 8 | 0 | 8 |
Takeaway: While critical and most high-severity issues were fixed, numerous medium and low-severity issues were merely acknowledged. Notably, the audit highlighted centralization risks (Admin and Manager multisigs) and reliance on centralized Chainlink oracle updates, which could lead to potential yield stealing or arbitrage [5].
Critical Path Decentralization: The protocol relies on a 3/5 Admin multisig and a 2/4 Manager multisig. This is a weak decentralization setup and poses an elevated safety risk [5].
7. Risks
- Bridge and Cross-Chain Risks (Elevated Safety & Liveness Risk): On April 18, 2026, an rsETH bridge exploit resulted in the theft of 116,500 rsETH (approx. $292M) [14]. This external event forced Aave to freeze rsETH and wrsETH markets across all deployments to prevent up to $230.1M in bad debt [1] [2].
- Governance and Admin Key Risks (Elevated Safety Risk): The 3/5 Admin multisig has the power to alter contract implementations, designate minters, and adjust crucial addresses without a timelock [5].
- Oracle Risks: Reliance on Chainlink oracles introduces arbitrage risks if there are discrepancies between the actual market price and the oracle-reported price [5].
- External Infrastructure: The protocol depends heavily on EigenLayer and permissioned validator services [5].
8. Community
The project claims a community of "300K+ users" and communicates via X (Twitter), Telegram, Discord, and a dedicated governance forum [6] [4]. Engagement appears heavily incentive-driven, with multiple airdrop seasons, "Kelp Miles," and "Kernel Points" used to bootstrap liquidity and user participation [6].
9. Final Assessment
- Overall project quality: Moderate to Weak. While the protocol has achieved massive TVL and deep DeFi integrations, the recent catastrophic bridge exploit in April 2026 and the persistent centralization of admin keys severely impact its security profile.
- Token / investability view: Watchlist only / Unverified. The $KERNEL tokenomics feature heavy insider allocations (40% combined for team and private investors), and valuation metrics are currently unverified.
Bull Case: The protocol successfully remediates the bridge vulnerabilities, implements decentralized governance with timelocks, and maintains its dominant TVL position within the EigenLayer ecosystem.
Bear Case: Contagion from the April 2026 bridge exploit causes permanent loss of trust, leading to mass withdrawals, DeFi delistings (like Aave), and a collapse in rsETH liquidity.
What would change the view: A comprehensive, third-party post-mortem of the April 2026 exploit, implementation of strict timelocks on the Admin multisig, and transparent on-chain proof of reserves for all bridged rsETH assets.
Documentation Review
Documentation source: https://kerneldao.gitbook.io/kernel
This is an additional verification layer based on official documentation. It does not replace the main audit and does not automatically recalculate the final assessment.
What documentation supports
- Kelp DAO is a decentralized liquid restaking protocol built on top of EigenLayer, using rsETH.
- The ecosystem utilizes the $KERNEL token as a unified governance token across Kelp, Kernel, and Gain.
- The total and maximum supply of $KERNEL is 1,000,000,000 (1 Billion).
- The token distribution is: Community Rewards & Airdrops (55%), Private Sale (20%), Team & Advisors (20%), Ecosystem & Partners (5%).
- The target date for the Token Generation Event (TGE) is Q2 2025.
- Kelp LRT has $2B+ TVL with 575k+ ETH restaked.
- rsETH has undergone audits by SigmaPrime and Code4rena.
What is not confirmed or needs caution
- The documentation does not mention the systemic cross-chain rsETH bridge incident on April 18, 2026, and subsequent freezes on Aave.
- Specific details of the vesting schedule (cliff, linear release) beyond the lock-up and vesting periods are not provided.
- Specifics on how governance rights will be implemented are not detailed.
- The documentation does not provide details on the specific findings of the MixBytes audit or the status of the identified issues.
- Specific details of the Admin and Manager multisig setup (number of signers, powers, timelocks) are not explicitly detailed.
Documentation additions
- rsETH allows users to stay liquid while continuing to earn staking and restaking rewards, usable across DeFi.
- Kernel allows BNB token holders to amplify the utility of their assets through a restaking mechanism.
- Gain vaults are non-custodial, allowing users to withdraw at any time while providing complete transparency.
- The documentation specifies the timeline for Season 1 airdrop as "Through December 31, 2024" and includes a "Loyalty Boost" for Season 2.
- The documentation provides detailed instructions on how to participate in the $KERNEL Megadrop using Binance Wallet.
- The documentation provides detailed instructions on how to withdraw assets from the Kernel Dapp via BscScan after the UI is retired.
Gaps in the documentation itself
- A detailed post-mortem of the April 2026 bridge exploit is missing.
- Specific fee schedules and protocol take-rates are not explicitly detailed.
- On-chain proof of reserves for bridged rsETH assets is not provided.
- Details about the reliance on centralized Chainlink oracle updates and the potential risks associated with it are missing.
- The documentation lacks specific details about the findings and remediation status of the MixBytes audit.
Short takeaway
- The documentation supports the core concepts and tokenomics of the project.
- There is a contradiction regarding the vesting schedule for team and investor tokens; the audit states 24 months after a 6-month lock-up, while the documentation states 36-month vesting after 12-month lock-up for Team & Advisors and 18-month vesting after 12-month lock-up for Private Sale.
- Critical information regarding centralization risks, post-exploit remediation, and specific operational details is missing.
- Addressing these gaps would significantly improve the transparency and trustworthiness of the project.
References
- rsETH Incident Report (April 20, 2026) - Governance - Aave. https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580
- rsETH incident — 2026-04-18 - #75 by EzR3aL - Risk - Aave. https://governance.aave.com/t/rseth-incident-2026-04-18/24481/75
- Kelp TVL, Fees & Revenue - defillama.com. https://defillama.com/protocol/kelp
- http://kerneldao.com/kelp
- Fetched web page. http://kerneldao.com/kelp/audits/smartcontracts/mixbytes.pdf
- Announcing $KERNEL tokenomics - Meta-Governance - Kernel DAO. https://forum.kerneldao.com/t/announcing-kernel-tokenomics/24
- Kelp-DAO/LRT-rsETH - GitHub. https://github.com/Kelp-DAO/LRT-rsETH
- Kelp – The Leading Liquid Restaking Protocol. http://kelpdao.xyz/
- KernelDAO : Introduction | KernelDAO litepaper. http://kerneldao.gitbook.io/litepaper
- Amitej Gajjala - KernelDAO | LinkedIn. http://linkedin.com/in/amitej-gajjala
- Crypto startup Stader Labs gets funding at $450-million .... https://m.economictimes.com/tech/funding/crypto-startup-stader-labs-gets-funding-at-450-million-valuation/articleshow/89021014.cms
- Dheeraj Borra - Kernel DAO. https://www.linkedin.com/in/dheeraj-borra
- http://messari.io/report/kelp-introducing-kusd-and-a-unique-commerce-backed-stablecoin-model
- Kelp DAO bridge drained 116,500 rsETH ($292M) in exploit. https://thecoinomist.com/news/kelp-dao-bridge-116500-rseth-exploit-layerzero/